base/utils/thresholds.zeek¶
-
GLOBAL¶
Functions for using multiple thresholds with a counting tracker. For
example, you may want to generate a notice when something happens 10 times
and again when it happens 100 times but nothing in between. You can use
the check_threshold function to define your threshold points
and the TrackCount variable where you are keeping track of your
counter.
| Namespace: | GLOBAL |
|---|
Summary¶
Redefinable Options¶
default_notice_thresholds: vector &redef |
The thresholds you would like to use as defaults with the
default_check_threshold function. |
Types¶
TrackCount: record |
Functions¶
check_threshold: function |
This will check if a TrackCount variable has crossed any
thresholds in a given set. |
default_check_threshold: function |
This will use the default_notice_thresholds variable to
check a TrackCount variable to see if it has crossed
another threshold. |
new_track_count: function |
Detailed Interface¶
Redefinable Options¶
-
default_notice_thresholds¶ Type: Attributes: Default: [30, 100, 1000, 10000, 100000, 1000000, 10000000]
The thresholds you would like to use as defaults with the
default_check_thresholdfunction.
Types¶
Functions¶
-
check_threshold¶ Type: function(v:vectorofcount, tracker:TrackCount) :boolThis will check if a
TrackCountvariable has crossed any thresholds in a given set.V: a vector holding counts that represent thresholds. Tracker: the record being used to track event counter and currently monitored threshold value. Returns: T if a threshold has been crossed, else F.
-
default_check_threshold¶ Type: function(tracker:TrackCount) :boolThis will use the
default_notice_thresholdsvariable to check aTrackCountvariable to see if it has crossed another threshold.
-
new_track_count¶ Type: function() :TrackCount